GCHQ’s Cracking Good Idea That Failed The Test

The GCHQ recruitment puzzle has been full of security holes but it was more of a publicity stunt than anything else, says Eric Doyle

The UK Government Communications Headquarters(GCHQ) has suffered a breach of its own secure systems. It’s not something that will threaten the border integrity of the nation but does pose questions about national attitudes.

As the government’s pivotal security department, GCHQ decided to recruit codebreakers to face the new challenges of cyberspace. As the organisation is taking its place at the forefront of the government’s plans for The UK Cyber Security Strategy, it decided the best form of unearthing talent was to launch a code hacking competition.

Christmas crackers

The site, which closes on 11 December, was supposed to be a new approach to recruiting eBonds, the geek equivalent of the shadowy agents in the James Bond mould that through stealth and social engineering managed to obtain, primarily, Soviet secrets during the cold war. Many of these spies have come in from the cold of Russian winters into the warmth of the doughnut that is GCHQ’s Cheltenham operations centre.

Riding on the crest of a wave of a £650 million investment to set up the National Cyber Security Programme, the plain-looking Can You Crack It? competition displays an array of 160 hexadecimal numbers, a code that leads the player to a keyword. Anyone who has examined code at the bare metal level will recognise the hex as a possible program – which it is but elements of it are fiendishly hidden.

Once the code is untangled and run, a keyword is revealed. Entering the keyword then reveals a “success” screen emblazoned with the GCHQ name and the question: “Could you use your skills and ingenuity to combat terrorism and cyber threats?”

The link on the success page leads to a third screen giving further details of how to apply.

OK, cracking the code is one way in but there are two others. Simply by entering a general Google site search (site:www.canyoucrackit.co.uk) will take you to the success screen. But why tax your brain – after all it’s just an advertising gimmick linked to GCHQ’s Facebook page to attract British-born geeks.

The easiest way to get to the application form screen is to go to GCHQ’s careers site click on Hot Jobs – Cyber Security Specialists which takes you straight to the job application screen. Or just click on the link I’ve just given you. Doh!

Source code

Yesterday Dr Gareth Owen at the University of Greenwich School of Engineering posted up videos of the three-stage solution to the puzzle.

One of the more amusing comments to come out of GCHQ is that cheats will be disqualified. Hang on a minute, we need people with a sense of fair play to combat terrorists, organised crime, and random mischievous hackers? Is that GCHQ’s message. GC cripes.

Surely, these “cheats” are the very people we need. Devious individuals who think like the wily people we are combating. If you want to catch a criminal you have to think like a criminal.

Anyone who sidestepped the problem to get to the answer is surely to be commended for their efficiency. As Walter Chrysler famously said, “Whenever there is a hard job to be done I assign it to a lazy man; he is sure to find an easy way of doing it.”

Similarly, GCHQ could have taken the easier path by looking at the current and past Cyber Security Challenge (CSC) competitors. This partially government-sponsored competition is geared towards finding people with the correct approach to security. Not security experts but individuals with the innate talent to become the cyber stars of the future.

The Challenge filters out people with the correct mix of paranoia, deviousness and lateral thinking that goes to make a good cyber security chief. The academic path into security often results in producing mechanics who are good at applying rules, principles and products. You can lead a trainee to potter but you can’t make them think. The GCHQ will certainly get bums on the vacant seats it needs to hurriedly fill – but is the recruitment process as effective as the route the CSC’s year-long range of tests.

These tasks are devised by professional trainers and experienced staff from the industry. Maybe the spy bosses could persuade the CSC organisers to introduce a stronger cypher-breaking element thread to filter out some of the hidden talent who could be proactive rather than reactive in the cyber intelligence field.

Nearly a quarter of IT managers simply don’t know how secure their website is.1 However, with the number of web-attacks blocked per day rising from 190,370 to 247,350 between 2011 and 2012, it’s vital for businesses to understand the part their website plays in the distribution of malware to clients, customers and the wider online […]

The debate over advanced evasion techniques (AETs). To assess what IT security professionals understand about AETs and what measures have been put in place to stop them, McAfee commissioned Vanson Bourne in January 2014 to survey 800 CIOs and security managers from the US, UK, Germany, France, Australia, Brazil, and South Africa.

The need for robust network security is growing, but IT security teams, resources, and budgets are shrinking at many organizations. That doesn’t mean you have to scale down your growth or skimp on key IT security areas, but it does mean you need to optimize your resources, starting with your network firewall team. Resource optimization […]

The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information […]